According to this, wireshark is able to get the packet before it is dropped (therefore I cannot get such packets by myself). And I'm still wondering the exact location in linux kernel for wireshark to fetch the packets.
The answer goes as "On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets." Does anyone have more concrete example to use "AF_PACKET sockets"? If I understand wireshark correctly, the network interface card (NIC) will make a copy of all incoming packets and send it to a filter (berkeley packet filter) defined by the user. But where does this happen? Or am I wrong with that understanding and do I miss anything here?
Thanks in advance!
Roman Zaitsev :
\n But where does this happen? \n\n\nIf I understood you correctly - you want to know, where is initialized such socket.\nThere is pcap_create function, that tries to determine type of source interface, creates duplicate of it and activates it.\nFor network see pcap_create_interface function => pcap_create_common function => pcap_activate_linux function.\nAll initialization happens in pcap_activate_linux => activate_new function => iface_bind function\n( copy descriptor of device with handlep->device = strdup(device);,\ncreate socket with socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)),\nbind socket to device with bind(fd, (struct sockaddr *) &sll, sizeof(sll)) ).\nFor more detailed information read comments in source files of mentioned functions - they are very detailed.\nAfter initialization all work happens in a group of functions such as pcap_read_linux, etc.",
2016-06-14T09:38:46